feat(ec2): instance-networks introspection endpoint + SDKs + docs (#1745 phase 5)#1758
Open
vieiralucas wants to merge 2 commits into
Open
feat(ec2): instance-networks introspection endpoint + SDKs + docs (#1745 phase 5)#1758vieiralucas wants to merge 2 commits into
vieiralucas wants to merge 2 commits into
Conversation
vieiralucas
force-pushed
the
worktree-ec2-netiso-batch4-k8s-netpol
branch
from
118e3b5 to
6579dd3
Compare
phase 5) Add a debugging surface for "why can't X reach Y" exposing the real backing network of each EC2 instance, and document the whole #1745 network-isolation story across the website, README, llms.txt and all six introspection SDKs. - Server: GET /_fakecloud/ec2/instance-networks returns, per instance, the Docker/Podman network or k8s NetworkPolicy backing it, its container IP, the isolation backend (docker/podman/kubernetes/none), the SG-enforcement mechanism (nftables/networkpolicy/disabled), and whether enforcement is active vs degraded. Backed by a new Ec2Runtime::network_isolation_summary. - SDKs: get_instance_networks / getInstanceNetworks added to all six (Rust/Go/Python/TS/Java/PHP) with the Ec2InstanceNetwork(s) types. - Docs: introspection.md gains an EC2 section (both endpoints); ec2.md gains a "Network isolation" section (default VPC, per-subnet L3, nftables SG enforcement, k8s NetworkPolicy, compose interop, the NET_ADMIN requirement) and its stale "security groups not enforced" limitation is corrected; README + llms.txt + llms-full.txt updated; every SDK README + SDK doc page gains an EC2 section documenting both introspection methods. Tests: e2e sdk_ec2_get_instance_networks asserts the endpoint reports the resolved default VPC/subnet and a valid isolation-backend + enforcement mode.
vieiralucas
force-pushed
the
worktree-ec2-netiso-batch5-introspection
branch
from
168cf9f to
a3f0a1a
Compare
Codecov Report❌ Patch coverage is 📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Phase 5 (final) of EC2 real network isolation (#1745). Stacked on #1757 (phase 4); base retargets as the stack merges.
Adds a debugging surface for "why can't X reach Y" and documents the whole #1745 networking story everywhere.
GET /_fakecloud/ec2/instance-networksreturns, per instance, the Docker/Podman network or k8s NetworkPolicy backing it, its container IP, theisolationBackend(docker/podman/kubernetes/none), thesecurityGroupEnforcementmechanism (nftables/networkpolicy/disabled), and whether enforcement isenforcementActivevs degraded. Backed by a newEc2Runtime::network_isolation_summary.get_instance_networks/getInstanceNetworksadded to all six (Rust/Go/Python/TS/Java/PHP) with theEc2InstanceNetwork(s)types.introspection.mdgains an EC2 section (both endpoints);ec2.mdgains a Network isolation section (default VPC, per-subnet L3, nftables SG enforcement, k8s NetworkPolicy, compose interop, theNET_ADMINrequirement) and its now-stale "security groups not enforced" limitation is corrected; README +llms.txt+llms-full.txtupdated; every SDK README + SDK doc page gains an EC2 section documenting both introspection methods.Test plan
crates/fakecloud-e2e/tests/sdk.rs::sdk_ec2_get_instance_networks— asserts the endpoint reports the resolved default VPC/subnet and a valid isolation-backend + enforcement mode (passes locally).cargo clippy -p fakecloud-ec2 -p fakecloud-sdk -p fakecloud --all-targets -- -D warnings,cargo fmt --all --check,bash scripts/check-doc-counts.shall clean.go build ./...+ Pythonast.parseclean; TS/PHP validated by their CI lint jobs.Summary by cubic
Adds an EC2 instance-network introspection endpoint and SDK methods to help debug “why can’t X reach Y,” and documents real per-subnet isolation with optional security‑group/NACL enforcement. Final phase of #1745.
New Features
GET /_fakecloud/ec2/instance-networksreturns per instance the backing network (Docker/Podman network or k8s NetworkPolicy), container IP,isolationBackend(docker/podman/kubernetes/none),securityGroupEnforcement(nftables/networkpolicy/disabled), andenforcementActive(active vs degraded).get_instance_networks/getInstanceNetworksadded to Rust, Go, Python, TypeScript, Java, and PHP. New e2e asserts default VPC/subnet resolution and valid backend/enforcement. Minor SDK fixes included (Java import, Python formatting).Docs
CAP_NET_ADMIN/nftrequirement); removed the outdated “security groups not enforced” note. README and SDK docs updated.Written for commit df23975. Summary will update on new commits.